Federation

QNSP supports identity federation with external providers.

Supported protocols

• OIDC: OpenID Connect 1.0
• SAML: SAML 2.0

Federation model

External identities are linked to QNSP identities:

External IdP → QNSP Identity
     ↓              ↓
  sub: abc123  →  user-uuid

Multiple providers

A tenant can configure multiple IdPs:

• Different providers for different user populations
• Fallback providers
• Migration scenarios

Identity linking

Users can link multiple external identities:

• Same user, different IdPs
• Account recovery via alternate IdP

Trust configuration

Per-provider settings:

• Allowed domains
• Required claims
• Role mapping rules
• JIT provisioning rules

Bootstrap

First admin must be created via:

1. Direct registration (if enabled)
2. Pre-configured bootstrap identity
3. API with bootstrap token